Description

The New-AzureADGroupAppRoleAssignment cmdlet assigns a group to an application role in Azure Active Directory (AD).

Examples

Example 1: Assign a group to an application without roles

This example assigns a group to an application that doesn't have any app roles defined, using the default app role ID.

# Get the service principal of the app to assign the group to
$servicePrincipal = Get-AzureADServicePrincipal -SearchString "<Your app's display name>"
# Get the group to be assigned
$group = Get-AzureADGroup -SearchString "<Your group's name>"
# Create the group app role assignment
New-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectId -PrincipalId $group.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

Example 2: Assign a group to a specific app role within an application

This example assigns the specified group to a given app role. Please refer to the description of the -Id parameter for more information on how to retrieve application roles for an application.

Parameters

-Id

The ID of the app role to assign. Provide an empty Guid ([Guid]::Empty) when creating an app role assignement for an application that does not have any app roles defined, or the Id of the app role to assign the group to.

You can retrieve the application's app roles by examining the application object's AppRoles property: